Bug 11765

Summary:

REGRESSION: Clicking on a select with size other than 1 and no children results in a crash

Product:

WebKit

Reporter:

Jacob Lukas <jlukas>

Component:

New Bugs

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mitz

Priority:

Keywords:

Regression

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Reduced test case	none
First attempt	adele: review+

Jacob Lukas

Reported 2006-12-05 17:15:58 PST

Clicking on a select with size other than 1 and no children results in a crash. This is reproducible every time.

Attachments
Reduced test case (650 bytes, application/xhtml+xml) 2006-12-05 17:16 PST, Jacob Lukas	no flags	Details
First attempt (4.02 KB, patch) 2006-12-08 05:17 PST, Rob Buis	adele: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Jacob Lukas

Comment 1 2006-12-05 17:16:33 PST

Created attachment 11747 [details] Reduced test case

Matt Lilek

Comment 2 2006-12-05 17:44:34 PST

Confirming - I also get the following assertion failure ASSERTION FAILED: i < size() (/Users/matt/Code/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:387 const T& WTF::Vector<T, inlineCapacity>::at(size_t) const [with T = WebCore::HTMLElement*, long unsigned int inlineCapacity = 0ul])

Rob Buis

Comment 3 2006-12-08 05:17:38 PST

Created attachment 11771 [details] First attempt This patch should fix it. The testcase is a bit tricky but I think it does the job, with ToT it shows the crash, with my patch it will say Passed. Cheers, Rob.

Rob Buis

Comment 4 2006-12-08 15:07:42 PST

Landed in r18089.

Note You need to log in before you can comment on or make changes to this bug.